W32.Toxbot
2005年 03月12日
W32.Toxbot is a worm that opens an IRC back door on the compromised computer and spreads by exploiting vulnerabilities
When W32.Toxbot is executed, it performs the following actions:
Creates a copy of itself as %System%\[random file name].exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Where [random file name] is usually 8 characters long. Possible examples of [random file name] include:
TrkWksrv.exe
dxdllsvc.exe
ciclient.exe
Adds the value:
"(Default)" = "Service"
to the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\[random file name]
so that it is executed every time Windows starts.
Adds the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[random file name]
Installs a back door allowing a remote attacker to have unauthorized access to the compromised computer via IRC channels. The back door allows the remote attacker to perform the following actions:
Log keystrokes
End processes
Steal cached passwords
Steal system information
Download remote files
Spreads by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061).
Checks for the presence of the virtual infrastructure software VMware by searching for the registry subkey HKEY_LOCAL_MACHINE\Software\VMware. The worm will not run on computers running this software.
Creates a copy of itself as %System%\[random file name].exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Where [random file name] is usually 8 characters long. Possible examples of [random file name] include:
TrkWksrv.exe
dxdllsvc.exe
ciclient.exe
Adds the value:
"(Default)" = "Service"
to the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\[random file name]
so that it is executed every time Windows starts.
Adds the registry subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[random file name]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[random file name]
Installs a back door allowing a remote attacker to have unauthorized access to the compromised computer via IRC channels. The back door allows the remote attacker to perform the following actions:
Log keystrokes
End processes
Steal cached passwords
Steal system information
Download remote files
Spreads by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061).
Checks for the presence of the virtual infrastructure software VMware by searching for the registry subkey HKEY_LOCAL_MACHINE\Software\VMware. The worm will not run on computers running this software.
